The Payment Card Industry Data Security Standard – PCI DSS – is fundamental to much of the work we undertake with clients.
First published in December 2004 in the wake of the Enron scandal, PCI DSS consolidated the security standards being enforced by Visa, MasterCard, American Express, JCB and Discover.
It is applicable to all businesses that Store, Process or Transmit payment card data, and compliance is enforced by the card schemes, through Payment Service Providers.
Failure to comply can result in the card schemes levying unfavourable or punitive transaction rates on non-compliant merchants, or ultimately the card schemes could withdraw payment capabilities.
Version 3.2, published today, places increased emphasis on rules for data access, criteria for ongoing compliance programmes, and a renewed emphasis on the need to migrate to a more secure web protocols.
The old standard – Version 3.1 – will be retired in December 2016 and after that date all PCI DSS assessments will be made against the new standard.
The major changes that the new standard bring in are:
Data Access
The new data access rules will mean that enhanced, multi-factor, authentication will be required for all employees who can amend systems that contain card data – User ID and Password will no longer cut it.
There’s a direction here, how long before all access to the Cardholder Data Environment will require such credentials?
Ongoing Compliance Programmes
The new standard incorporates “Designated Entities Supplemental Validation” (DESV) – which Troy Leach of the PCI Security Standards Council describes DESV as “a set of criteria that can help service providers and others address key challenges in maintaining ongoing security efforts to protect payments.
He added that “Many of the requirements are simply extensions of existing PCI DSS requirements that should be demonstratively tested more regularly, or require more evidence that the control is in place.”
Secure Web Protocols
The PCI Security Standards Council announced, back in December 2015, a requirement that all web transactions should be secured using the more secure Transport Layer Security (TLS) protocols, rather than Secure Socket Layers (SSL).
The Council issued a guidance note that can be downloaded from here.
Some of those new requirements are complex and highly technical, the PCI DSS standard runs to over three hundred specific requirements against which companies must demonstrate their compliance. Annually.
We still maintain that, even with the new DESV requirements, the best and most cost effective means of PCI compliance is for businesses to out-source their cardholder data to suitably certified (PCI DSS Compliant) organisations.
Not only does out-sourcing remove the risk of cardholder data breaches – and we all know how prevalent data breaches are – but it allows businesses to focus on their core businesses, serving customers and making money.
Get in contact, Compliance3 might be able to help your organisation get card data risk off the table, simplify your PCI DSS commitments, and save you money.